diff options
Diffstat (limited to 'meta/recipes-core/dropbear/dropbear/CVE-2016-7406.patch')
-rw-r--r-- | meta/recipes-core/dropbear/dropbear/CVE-2016-7406.patch | 102 |
1 files changed, 102 insertions, 0 deletions
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2016-7406.patch b/meta/recipes-core/dropbear/dropbear/CVE-2016-7406.patch new file mode 100644 index 0000000000..a582d0ff81 --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/CVE-2016-7406.patch | |||
@@ -0,0 +1,102 @@ | |||
1 | From 8fd720c3e319da773b48c0b191f049dbd1e3c7f0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Matt Johnston <matt@ucc.asn.au> | ||
3 | Date: Mon, 11 Jul 2016 23:09:33 +0800 | ||
4 | Subject: [PATCH] Improve exit message formatting | ||
5 | |||
6 | CVE: CVE-2016-7406 | ||
7 | Upstream-Status: Backport [backported from: | ||
8 | https://secure.ucc.asn.au/hg/dropbear/rev/b66a483f3dcb] | ||
9 | |||
10 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
11 | |||
12 | diff -ruN a/cli-main.c b/cli-main.c | ||
13 | --- a/cli-main.c 2016-03-09 15:54:53.000000000 +0100 | ||
14 | +++ b/cli-main.c 2016-10-20 12:49:00.323501119 +0200 | ||
15 | @@ -85,29 +85,30 @@ | ||
16 | #endif /* DBMULTI stuff */ | ||
17 | |||
18 | static void cli_dropbear_exit(int exitcode, const char* format, va_list param) { | ||
19 | + char exitmsg[150]; | ||
20 | + char fullmsg[300]; | ||
21 | |||
22 | - char fmtbuf[300]; | ||
23 | - char exitmsg[500]; | ||
24 | + /* Note that exit message must be rendered before session cleanup */ | ||
25 | |||
26 | + /* Render the formatted exit message */ | ||
27 | + vsnprintf(exitmsg, sizeof(exitmsg), format, param); | ||
28 | + | ||
29 | + /* Add the prefix depending on session/auth state */ | ||
30 | if (!sessinitdone) { | ||
31 | - snprintf(fmtbuf, sizeof(fmtbuf), "Exited: %s", | ||
32 | - format); | ||
33 | + snprintf(fullmsg, sizeof(fullmsg), "Exited: %s", exitmsg); | ||
34 | } else { | ||
35 | - snprintf(fmtbuf, sizeof(fmtbuf), | ||
36 | + snprintf(fullmsg, sizeof(fullmsg), | ||
37 | "Connection to %s@%s:%s exited: %s", | ||
38 | cli_opts.username, cli_opts.remotehost, | ||
39 | - cli_opts.remoteport, format); | ||
40 | + cli_opts.remoteport, exitmsg); | ||
41 | } | ||
42 | |||
43 | - /* Arguments to the exit printout may be unsafe to use after session_cleanup() */ | ||
44 | - vsnprintf(exitmsg, sizeof(exitmsg), fmtbuf, param); | ||
45 | - | ||
46 | /* Do the cleanup first, since then the terminal will be reset */ | ||
47 | session_cleanup(); | ||
48 | /* Avoid printing onwards from terminal cruft */ | ||
49 | fprintf(stderr, "\n"); | ||
50 | |||
51 | - dropbear_log(LOG_INFO, "%s", exitmsg);; | ||
52 | + dropbear_log(LOG_INFO, "%s", fullmsg); | ||
53 | exit(exitcode); | ||
54 | } | ||
55 | |||
56 | diff -ruN a/svr-session.c b/svr-session.c | ||
57 | --- a/svr-session.c 2016-03-09 15:54:54.000000000 +0100 | ||
58 | +++ b/svr-session.c 2016-10-20 13:27:20.629628336 +0200 | ||
59 | @@ -145,30 +145,33 @@ | ||
60 | /* failure exit - format must be <= 100 chars */ | ||
61 | void svr_dropbear_exit(int exitcode, const char* format, va_list param) { | ||
62 | |||
63 | - char fmtbuf[300]; | ||
64 | + char exitmsg[150]; | ||
65 | + char fullmsg[300]; | ||
66 | int i; | ||
67 | |||
68 | + /* Render the formatted exit message */ | ||
69 | + vsnprintf(exitmsg, sizeof(exitmsg), format, param); | ||
70 | + | ||
71 | + /* Add the prefix depending on session/auth state */ | ||
72 | if (!sessinitdone) { | ||
73 | /* before session init */ | ||
74 | - snprintf(fmtbuf, sizeof(fmtbuf), | ||
75 | - "Early exit: %s", format); | ||
76 | + snprintf(fullmsg, sizeof(fullmsg), "Early exit: %s", exitmsg); | ||
77 | } else if (ses.authstate.authdone) { | ||
78 | /* user has authenticated */ | ||
79 | - snprintf(fmtbuf, sizeof(fmtbuf), | ||
80 | + snprintf(fullmsg, sizeof(fullmsg), | ||
81 | "Exit (%s): %s", | ||
82 | - ses.authstate.pw_name, format); | ||
83 | + ses.authstate.pw_name, exitmsg); | ||
84 | } else if (ses.authstate.pw_name) { | ||
85 | /* we have a potential user */ | ||
86 | - snprintf(fmtbuf, sizeof(fmtbuf), | ||
87 | + snprintf(fullmsg, sizeof(fullmsg), | ||
88 | "Exit before auth (user '%s', %d fails): %s", | ||
89 | - ses.authstate.pw_name, ses.authstate.failcount, format); | ||
90 | + ses.authstate.pw_name, ses.authstate.failcount, exitmsg); | ||
91 | } else { | ||
92 | /* before userauth */ | ||
93 | - snprintf(fmtbuf, sizeof(fmtbuf), | ||
94 | - "Exit before auth: %s", format); | ||
95 | + snprintf(fullmsg, sizeof(fullmsg), "Exit before auth: %s", exitmsg); | ||
96 | } | ||
97 | |||
98 | - _dropbear_log(LOG_INFO, fmtbuf, param); | ||
99 | + dropbear_log(LOG_INFO, "%s", fullmsg); | ||
100 | |||
101 | #ifdef USE_VFORK | ||
102 | /* For uclinux only the main server process should cleanup - we don't want | ||